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rt) K steps 7W»-714.llu: nlhcrlwo Rto«i>|J"lK'y newels*. U 
(c;;f,>fcci!) ami OPO(i (noo-cnkircci!) are feci ink 
temporary milnrccd liM V£ and •"" 



I ll iS S< .,;•,,) .s: > Null- Ilia! \ 

step 70S. [he til'05 iili-j-il iiU.r is entered above ihe Gi'Oi 
klenlilier its the temporary cntV.«:ctl lisi Vl. 

When there art mi mme f.",«mp Policy ohjeels at the 1 
current level lo place in I lit lists step 712 branches lo slcp 
7211 ci I' i-'Ki. 71.1. wIkii: die group pt»lif y ohjccLs in the 
temporary enforce lisi 92 art moved tfi a master enlorcc liM 
Vfi as represented in HO. 1 1»; mask/a .-more. 1*1 '"' w.li 
;! eemniilalc the enforced turnip policy objects from the 
Simons levels, anil will ..ii : ; i : ■ I •- i> be merited with a master 
„.,, entire list <>S in const.., el the master lisi V«. Slcp 722 
l|„;„ tesls if blockine, lias been selected at any level below 
cinieilt level l i' blocked, ... m-CI.IOrccd e,ro..p pokey 
objects will mil be app! ied. ilowevei . m the present example . 
llu-iC is no blocki..;/, .selected, ami lint* step 722 bi anches lo 
724 where t!,.t«<P policy objects in ihe temporary 
mm-oukirec liM 94 are i:wv«rl l« foe from ol a master 
iion-enforce list !>» as represented in 1;KJ. SP- Step 72K ihcit 
tests tti determine if Ihe current level » llw uppcrmusl level 
iu (he hierarchy of directory .-auaimi. lor ihe user, e.g.. Hie 
silt level Since Ihe current directory container is the or.ua- 
„j/.;n tonal unit <>U2, and not the site level. Mop 728 branches, 
to step 7.W which seleclx llie next level up. i.e., the ur&nm- 
/■.«,, jonal (.mil OUl in tin; present example O! Idii. (.. I lie 
process then returns to step 702 el 1 IO. 7 A, 

At step 702. tin: propetl.es ...1' i he orRamwlnmal uuit Ol.'t 
me uxatniiiuil to downline if lliete is a moup policy ubjwl 

as.s.K-.iafcd l he rev, Since in the present example of fid. 6 

there is ltd, step 702 branches ti> step 728 of HO. 7R where 
Ihe silt level is ana in tested for and found untrue. Al slep 
7,Hft, the process then selects Ihe next level up. the domain 
direelory container. Domain A. and returns lo slep 702 ol 
HO. 7 A to handle ;iny p,roup policy octets associalal wilh 
the Domain A. 

As shown in l"'l<i. (i, Domain A lias Ihree pump poney 
utytds associated ihe.ewilli, OIK) I, UP02 ami IW03. As 
liiillerslood from the above de.ser iphon, slep 71)4 selects 
(i!'Ot,.slep 7()<i dell 



Step 722 then i.!'.:icr;nmes tlwl tin: wirt-i 
setlinKsaie blocked below Domain A. (via 1 

,s .luims ""v;';;" ' 1 i,i l ;':, 1 :; 1 „!'! : 

a.ss;)c;:iied villi dneclory ..)i.,;:cls (Mle--, don 
!-,i/alic.nal mills) above. As a lestili, Hsne is 
the same hierarehical level, i.e., fil'Oft < 
OP04. In nvwral. this means dial an> 
(siii'i'esled) policy above OU1 will (><• disca 
::ksiVlii;.s, 'f-iep 722 l.a aneltes to skp 72b x 
temporary non-enl'oreed list 94, winuut ad 
tiie-i-ni lo Ihe master non-efilorced l' l: l 9N. a 
SK. Nolo liiai ivid OV2 bi's-io.-d inbentane. 



dtrtclory container 



1.. is rhns added by stej 
92 (l'K.b Si.'), and rhen in 
ifoiee list 96 (NO SM). 



ste]i 7 



il'Ol i: 



«[.;). Steps 712 714 seled Ihe 
polir-v ob|L.cl, OI'()2 (notr enforced), 
:„iii 7 1(1 :„lil a Cd>(..!2 nte nl iliei Iher 
liLin-enloree list 94 (I'Ki. 81 1) Next, si 
|(»t , ,, , I i, I i. 70o „ 

Sl'ep ! 720i.ifbKi. 71! nCNl moves :!>■ 
tilt: temporary enforce list 92 to lire 
(l ; IG. SI). Nole dial as shown in I Hi. 
iist 96 is buik'iiriL.'. (npunivlly) the 
hitrarehy and then by stren & tl> wjrh 
enforced policy is handled in an inv< 
;i!ilie..u-li il:c strene.lh uoibm the bie:v. 
I his is'iii aeeoid with the overall com 
policy at Im'tim levels win versus ] 



n-etd'o; 



■il o.;ipee'-IC; 



ci'<)2 (";i'')'>, oi i 04, epos. oi'D-3, t;i'()3. ut 

At this time. Ihe. ordered list 90 of poi.e- 
eomplete, ir.U Ihe ['"'.bcies now may be npplun 
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or user.-, of OU2 and/or the machine t>« which The user is Si ill ano 

l...<V'.^.p, on. II should be noted thai lhe machine |x>licics arc is I" 

applk.il i.. the roacliun; vvhen ihc machine npcraliiii; >,\rM<m iisstwialiut: 

is booMl. while I Ik; user Rruup iwlicies aie applied whet; i> I'M ! ""» 

user ol' the gfimp !..>■■> on. In addilfou, p.mtn- poifoy may he s sell,..;., ilia 



cheeped bv a p. -i; L -v j. mi that policy ..'! ..inpes arc apP.ced on scsnes in can a.: J j '- - »• < . ' " . 1 ; 
machines ihal arc not fo:<|ii«ril!y rc-hnolcd and for users lhal m: die iipp-ioauon ii.-i's^h; IiM =•.» '"' ^ 

Once the ,.i[i!,:i,:l! lis! '><> of policy objects is complete, ill imdefoied, ;-<- : " ; ""' ; '; : ; ^i>' :l l'. " 

p,,, >>n ,. c p,. :1 ; L "-- Pension 1 00 is .vpicnlSv called (see, . by a object in lliv !;m '«>. 1 process w,l« « 

— • L0 ~ : 2) s :f t 'r T .. :!:;r:v"- Vi , T " , -: 1 jd"";^ 

pr.witicd therein to Pi' iHMivwii in any Way l|ie <.lnrnl-M.ii. o:.H,u„e,i, . . ; ' ; , r ./; (n . d 

fxltiision 100 deems appropriate Indeed, becaa's: pie i/rnap to OSicry, :l1 wsiich tune ^ | j,,',!^,' pT,.,',,,, 

poiicv ohjeclMiiay eonlaoi virtually any !yya: ol mlon-nsHO-i, -id" aoneul ,s,,;.,:o.s ■ ' 'i'p r< ■ P- 1 - ■' - ^ 

awl because Pa: pslmmat,. ,o therein and Ule lisl VO may be vicled Hi I acmlalc atlmiei'-l, ,,;,,i e.. no.. . < • 7;'. 

uwd bv « diem extension UKI id any desired way, lll<: system ba.sp an a.ssoi lalioii iMvi.m j * u " 1 yP ' 

i,,,d melliod ol'ilu: present invention ait ho/fob e Ml i icil , lc epoup puhev oo ,,.:e, ,vi,v Pe ,P-.:i:.a',i, i ..p : i a ■ -k. . ■ .. 

Typica! CN.'implcs i>f Imw the IiM W> IS used is lu tklcmnne Iniiia se-kclic. il l". M. «•''>;•"_ : v: • I- 

which wcnnly scllu'ip,'. apply lo a n-cr or machine, (e.ii... .us appln-d n."- use:-- lo. It.' r ' ,r '; L ; 

access np.hl:, :niil;'nr p.ronp mtmlicri-hiiis), deientiinc Mowwc:. Hii> in n «. ^.i.iiv.i » n .i^ • ^' ^ 

whelhei one or more u.vci loKlvns an: id'tirccltd lu til.- tJ " o ' p r -. ■ ^ > ; ^ "■■'^ _^ "'" r : ,' ' ( V F - ■ , -j 1 - 1 'li^'.V ! = ^' 'i '■ r- ' ^ t"i Vi . 

network, and so mi. Sciipls may be processed accordiiu;, io .:■ pola v "• , K L ' "'■ ■■! ■ l " r ■"' " • 1 , | . ,, 

lilt ordered lisl !«>, for example U) apply policies thai p.roup pe>ii,:y oPjeels seen nv ilk ,n . . . . 

delcrmioc winch application* will he ecu, ally deployed mlerlace. , .„..|,, Li , s ho 

(assicncd, pi.ii.!,. -.he c .ni-i.or or -.1 a I le.il p. users an:.! -aia. limes An.,lhei .eanne ■:-, Ui.o a C- ; rl|0 . T- ■ ■ ■ ■ ■ •■■ 

1;! (ll; ,. r ... ( MS,as..:ese;il .i:.-.l t i .!s. ]..Pia ;l :i pp I ic.ll kill Sef. No. ^ ^'|' l |'" U: 7VV. 1 | 1 ; ps : i.sriO^-T a's vilH iiveaPy sc P ' 

Amillier typical way m winch pohcies arc applied in lo lately disahled Siieli disaldy.-. are plr .Ira , . ..i..,^u,. .^,i; pi^ 



periorni 



(or sonic eld null value if no poiicv is delined for a 
punkulur sen, up) !$v %v;iv ,P ..:var„,-le, ¥\C 10 shows One 

... lor ■...•riln.p !l.:. o.:o. hi pa iiera: , a policy sc'iinp, ■ 

may he dclhied or mil defined, and ii'deiined, has some value 
foi'ils setlinp,. Tims, defined p.ilicics are written iiilu Lhe 
rcftinlry from weakesl lo slronpesi. based on the. ranked list 
'jo'of pomp pohev chiecls, whereby stronger p,roep policy 
objects write dclhrerl policy Hftti.lgs ove, the. serrinps ol * 
weaker policies, i.e., lu.Nl w.iler wins, lb llus cikl, at step 
HMHI P:,e. weakest poiicv obicc; in dip. lis; 'Ml, i.e., llie l lil'U 
(local p.ronp jsilicy ob|ecl) is selecUid. 'Hie... at step UMG, 



thus siep 1004 branches to n1C| 
weakcsl p,roup policy objeel, "Gl 
HI0(, then icUuip. to step. UH»2 :■■ 
of "CiPOh" 10 the vep.islry. t'he 



aaii.enlly oveiscrillen by deiineil 1 '<"l*' r'- : -' l M' 



C;l>C)5 <;i'<)3 o, t.J'O) pohev). lu (his marine,, policies arc ,.s dilTcrcn. for foe p.ronps Piacinp the .piles-reieteo 
a,viiniul..leJ wil . -m'.ir.J ,r orJeainc d. |,n noned hy lhe a sloo.l yoaip i , hew •.. v, , : ensures that lhe sales , oli 



inlrrdeiislraior 



.istCTil I hroLle.hi.pl I lhe ciKcrpri.se. Note [hat linkiup, a 
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a-,v : .c.i.ii:oi:s wllll i-l>"ir ^ h: -y 

domain boundary as shown in Ho. 
uml B2 (7ft,) is ussul-^J whh the i 
(66,). 

t.acli 'i-.h. v ob.tcel limy also nam 
nicnl m order I" include or cv, In.lc 
of umii'. from .vi:..n. policy To this 
may include ;m exclusion ftsl of use 
(hi-, policy will mil apply and oi *n iiiclusi.i 
o which Tin; polity wilt apply. 1'bi 



3, i.e., or£iiniiali< 



US 6.466,V32 HI 



* The • 



eiaied 



,V:!h ... 



.•cify which r. 



:. hi npncnrf, groups 



< Lo II"' (>roi 
Apply (.inn 



lelo. hi other 
I list <KI. i tic 
a plurality of 



lOUp 



mlieies liter 



:l. Noli 



■lip!' 



; :ainly identifiers .md a ! ' i 1 '"-i ol ,' 
rights associated wilh each «-,curity idcmiJior. and arc 
oajiiilik'. of tuimltins both inclusion nod exclusion, hbr 
example, within a rcwardi l',:oup, certain usm may He 
yiccn a diftcicnl Internet access policy than oilier users, eg,., 
vi« ihe. security descriptor, apply rhc policy Ii.j listed liters A, 2 
» and (..:. bin no others in the e^roup. Alternatively, via the 
security descriptor, tin: policy applied 1,st:rs 1JI the 

research >:.roup cxccpl X and /. who are specifically denied 
aeeess lo !.!;■•- policy objecl. This enables policy to he tailored 
lo individual us* 's without liavinp. to oonMniCl many scj.'ii- 
l;l t v . groups to handle the various exceptions that typically 
arise '''in enterprises hirlbei, policy nmv he cufoiccd foi 
an lain uses ami sup.f.csled for oilier users by sphtlii.p, 
Philips policies inlo iwo groups, (C.f,., Ac and A), and ihisn 
ij'fiini!, secimlv ;avc- conlrol lo select which users in that 

group cet which policy. 

Another aspect of the present Invention enables poU-v 
hased on the machine's physical locution, in addition lo tin; 
user's logical function (rclleclod iuHtc user'.s membeiship m 
various groups). In other words, policy .nay he made net- 

, | I i;. II ,i 1, ' . 1 i | ii i 

CfOUjJ policy object t.'-.p... <><>...> with a sits 7*,, as sliown m 
f'lO. 3, In this way. a w-scr ;«>V.iuK "=•> 1,1 '-'""I* n, /'>' !H ' 
flMOlllllUMl! polio sitlul' .lit in lh it s ■ ^ ' J 1 I IIH 1 
in ihe United States. The oilier aspects ol Hit-. jwsrMl 
invention, oiclndiii); layering (ordei ii.|/,). inheriHtiic'c., 
bloddue. Iinkiii).:. i.-.iK.i except : on u:aiiiii..eoicttl .in; applicable 
,„ Uk: group policy ol iv, i or object* of a site, ami thus a 
site's policv objecl o, objects may hi anywhere Wilh.ri the 
ordered list. 



"lite presi 
polity, a policy (bid is applied lo 
a number of domains 7(1,, ■7(1, unt! 
model, domains may he phct 
whereby tin. policy setups cl iJji- 
lli:r„, : ,h ;hc domains via inhcnluv 
;ll iove, a number of domains may ■ 
to achieve a similar etlecl 



veides for nn cmvetTiM.' 
I domains. I'K:. Usltows 

1 under lite enterprise, 
enlerpfise arc propiii;.ilcd 1 



fey;., CiWD) wilh respccl 
.: ;idlTliinslralor may nullify 
policy objeel, whereby thai 



eheul-side 
liaiidUni: rc 



irdereti lisi W lislins only 



o.dercd l:si 
■iroiip poii 



ibjecl In sticll an 
larly, if secuiily is 
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VHi. LUJ shows another type of chmge. wherein ihc 
;,()n;iniNir,11or reorders llje polity objects, c.e,., GPOA, 
(ii'Oli ',:!'' M ' .tiiil GTOll lo Gi'OA, i.il J OC, Ci'OH and 
i,i'OI') liccaiisu of dependencies (o,f>„, ammiR saipls) ami 
oilier ouie.i-iehded ifiiirii'.'i , I»ks wr>u:r v, ' in "' Uti: 
'ep> 



s-.roup pol 



caded I 



., if ihe link was previously 
] mil wilhoul .1 response, lliis 
.'d, e.j;., the process branches 



(iPOli, id'OIS. has bea 
||K extensions th.'M 'leal 
I he fhannc information 
ami lire new poll 
dependencies »iiK«i|.j ill'' p 
sum:, i.!,euer;dly reapply Ihe 
Alioiber diaiip- winch e 



iron i 



w!ii.-:h:viT 



, mini 



iintilicaUon of (his lype of ehajif'C. Because 
s;;ips under directory conlioucas liclcnnnii. 
objects apply, each called eMcrlMOu wstl »n 
policy in response n> I he eall, although ih 
taken by the extension is up lo lire exlensio 
AnolLef factor thai may lie used lo inline 
policy is applied is ihe late Hi which data ma; 
| .'or example, if a link is slow, I hen certain 
Hon such as rcpislrv sellings are applied, b 
related events such as software installations 
(because lliey would mien (or, Iiinp,), e.g.. il 
applied due lo a slow ii»Jk. the scrip! exlensir 



, More 



V selling: 



deianit ( 



espon: 



I 104 rc 



:. l!;e n 



nil; I 



:p.s M3U WHfc eonveii the 'Cola! tune I 
, lb Ibis end, Mep 1430 averts I lie t; 

sic:-. \4i2 admsis se lire ani.-unl of , 
Kis) and ihe way in which tune is mease 
second). Step 1434 converts bytes lo I 
aiiiusls tor Ihe tiuils of I'lala Iranslei' i; 



esc if,,,:; Lui; milliseconds, then (he isjk-.w :!|..- r;■,:.■ 
, 1 he fast, whereby step 1406 branches «5 if above ihe 
O step 142(1 where the ilafcs are adjusted as necessary and whvrehy it* 
he process ends, intensions reentered for link Iransiiions aeeoialiny.ly. 



d data 



, ihe ;i;;k is con: 
rate, the link i: 
link irarts.iion ■ 



c (7.) >?■ 
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y ,.,U,y ,,n^; ; , m ,bc n:,:,,,trv . it; lea ni !i,cs how policy is l.. k- >: ' "3 ' v f -| ,v 1L '; 1 I'kV .v!^: I.;. mt! 1 

JJ-pllCi!, Ill <•■■ HirCC lllOi.es. thv- L'UH'J.i, niOL.C, »l eOI>- [|J;[( i; „(,„,_-<. t | ,. r „ up p,,^ 

junclion with usci iH.licy. (iwrRe rm<le>. ui "Wean «■ i'J ,, lk „ l:!:l i ,>,„„,, ,,nticv objct 

MScr-bawl policy selliues (jcjtlaee mode). 4 mcl i, ( „i 0 f claim 1. 

llCi. 15 show* ;m example of how policy iSiiffhaHiawl ,, r(i , rlI ,,, ,,,, |:,,, MK .|, that cr. 

„n ihe »kk1.-. SCltim., wheat. »scrs uuikr o^nizalioni,] rank ,j iK :corilt,..,, 10 the 

OU1 ;„ K ; ! v,:u-i;r^r; 1 >:..l,:i-.:n.,;ini/iit ; :.i.;iiii !1 iM)i;2; 1 .l:l.nt:L[ ,.,, n ,, 1 , ni;r! „ seeii sltt.l - ^ch 

Domain/.. As show,, in 15. ()U1 has a j<iO!i:> policy ;■, ,^,-, L - :l ,| C[ [ w L l E j cad. hii;.he. 

objvet C'iPOO ;i<is.'wiaieit ihcrcwtih, OU2 has a i;roup policy ,),.,„ t;lC h p f()U p policy ohj. 

• .1.::-.-! (IPOt associated moo. wuh, and |.)om,:ioZ litis two ,|irf.<:fc>rv conlaincf, 

ltl - ( ,up policy niseis uss.K.-inlctl therewith, Cl'OA and 5 The mcihod of ela.m 1 

GJ'OU. AsdcswitHt.1 aU.ve. -I the i>orr,;,d uo.ic. the ordered , .idcaim; Hie hsl Mid) Uial no 



*i|h a jttur. 
..s.ngthe Me 
Willi Ihai tli 
ailal.lt; mctliui 



olicy ulijcrts is also provided, as is 

1;, sttscepiililc to various [nudilioa- 
constnictiuns, certain illustrated . 
I,. shown in t!u: drawing and iU'fV 
in detail. It should Ik understood, 
10 iiilcinion Hi limit the invention In 
■»s disc lost tl, In.r on Ihc coutiaiy. Hie 
:. till modifications, tilK'toalivt 
ivtilcnls I'allim. wilhifi fht spirit nn.l 



I. A method «f dehnimninc. policy 10 apply to a policy ule.in!. 
acpiem under a piiin.liiv of hierarchically on'tinntcti dios 12 

,„y eonliiincis, wherein ;.l km si one. of the directory wu- the slc| 

ni'icrs is associated wilh at lcjisl one e.milp policy olijool sle-p o 

laving policy inlonnttliot! therein, eomprisim;, llit slc.ps of: rctipk 

«lccl in;.' each diicclorv eo.'iU.itie:. and lor each selected excCM 
tltreelo.y conlamc; ' ( 

WHtI"!h'a !l„ ':'-hJv co.MUir.eia end il' so, tot each Ik sic 

jifoup policy object associated [herewith Step ol 

'delerminiiir; il' that U'cmp policy oKjcti is cninrccd. re,«ide 
and ii" so, tncludint; an idcn'.ilio' cil lha; i-.iCup i: 1 ' Hens 

policy i.ihjccl in •:. list ol' pjolij:- pclicy ol-ije.cls 10 to the « 

apply to the poliey iccipicin, and if nol tul'orccd: ulijeci. 
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15 Tlx 



dafelv imxliiun nt claim 14 having: ^ """I" 

,1,1. Instructions for pcrlorminij I be cxta.tsl>le iiisin 
c olhci nine, ;iik! placing poltc; 



16. The InmjMi^r-r^di.b 
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UNiTKO STATKS l'ATKNT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 

I' M KM NO. : f,.46f»,TO HI 1 ol 

l.>.\Thl.> : (KvM-x- !S, 20(I2 

fNVLNTOKlS) : tenuis ei al. 

It fe tortifiod thai error appears in the itaMridartHM patent and that said Utters Patent i» 

horuby corrwrtod ':S shown bcicw: 



Column .', 

Line :i4, "lurihest" should read - farthest -. 

Line 59. "sites, domains organizational units" should read ■- sites, domains, 
organizational noils . 

Column l f 

Ll'in, 27 :r t.si i)[ ijroup policy object-' should read • • list of group policy objects > 
Co lumn 7, 

Line !, "(7() A )" should read (70 A ), --. 

( 'oliim n % 

Line S.i. "list 96. (FIG. 8J)." should read - list 9ft (l"tC.. 8J). 

Colu mn 10 , 

Line 62, "DACI-S" should read ••- DACLs 
Column L\ 

Line iL "(ii'OLt C.l'tX."" should read -- GI'OB, GPOC 

I iiiv V7, "poliees" should read •■• policies 

Line oo, "no (/cio bytes) ol data" should read no (mil bytes of) data - 
C olumn 'in , 

I i.u' IS, "shown) It" should read -- shown). If" 



Coin in n Ji 

Line 30, "GPOH Cd'OA" should read - Gf'OD, GPOA •-. 
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CERTIFICATE OF CORRECTION 



I'A'H'NTNO. ; fi.46fi.W2 «1 I'ngc - ol 

i | I > ; Oaofrir 1.5. 2002 

SNVENTOk(S) : Dennis a at. 

tt is certified that (trior appear;; in the abovfJ-ictontiliad patent and that said Latter;; Patent is 
hereby corroded as shown below: 



Column 20, 

Line 21, "cornprisinii" should read -- comprising. -. 



Signed and Scaled Mi is 



Nineteenth Day of October, 2004 





m\v. mJDAS 

'SrattS I'atcnt «ml TraJrmarkOlluv 
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